Your Cyber Plan in Stages — Red Flagg™
How we work — the honest version

Your cyber plan
in stages.

Three levels. One starting point. Every customer begins with Level 0 — people, culture, reporting habits — before any technical control is locked down. Then Essential Eight Level 1 across four phases. Level 2-3 if and when it makes sense.

Book a free assessment → Download the brochure
A typical Level 1 journey runs 12 to 24 months in most environments, longer for complex ones. We'll give you a specific timeline for your organisation after the audit, not before.
Your Journey

Three levels.
One starting point.

Every Red Flagg™ customer follows the same arc. We start with people, then we layer in the technical controls, then we monitor and improve. No one skips Level 0. No one starts at Level 1. The order matters.

i
We strongly recommend every customer starts at Level 0. Even if your environment is technically tidy, Level 0 is the foundation. People are how most attacks begin. Building a reporting habit, awareness, and the everyday safety basics comes first. Skipping this is what makes every later step fragile.
All levels align to: ACSC Essential Eight NIST CSF CIS Controls v8
Level 0 · Start here
People
and culture
Minimum 6 to 12 months

The foundation. Where every customer starts.

Level 0 is something Red Flagg™ does that many cyber providers don't. They focus on technical settings first. We start with people. Awareness, reporting habits, and a culture where staff feel safe to speak up are what make every other step work. Without this, no technical layer holds for long.

Your team becomes your first and strongest line of defence. We run training, send simulated phishing tests, and build the way staff report things. We deploy the password manager and lock down email domain spoofing. And we set up clear paths for what to do when something feels off.

The 10 Level 0 controls
Security awareness training delivered
Phishing simulation campaigns conducted
Staff reporting culture established
MailCheck™ deployed and in use
Clear escalation pathways in place
Inbound email filtering and anti impersonation set up (SPF, DKIM, DMARC)
Account audit and stale identity cleanup
Ongoing analyst review and support
Password manager rolled out (we use Bitwarden as our preferred tool, paid per user)
DMARC email protection enforced
Level 1 · Once Level 0 is solid
Essential
Eight
Typically 12 to 24 months

The Australian Government baseline. 48 controls. Four phases.

Level 1 is the full ACSC Essential Eight Maturity Level 1 — the technical baseline cyber standard for Australian organisations. We deliver the 48 controls progressively over 12 to 24 months in most environments, longer for complex ones. Your analyst will give you a specific timeline for your environment after the audit. Each control sticks, and your team isn't overwhelmed.

This is the journey detailed below. Application Control. Multi factor authentication. Patch cadence. Macro hardening. Browser lockdown. Backup. Admin separation. It's only meaningful if Level 0 is solid first. Without an awareness culture, the technical controls have nothing holding them up.

Level 2-3 · Advanced
Monitored
and advanced
Quoted project by project

Consistent, monitored controls built into daily operations.

Level 2 and Level 3 are for organisations with higher risk exposure, regulatory scrutiny, or funder audit requirements. The controls become more strict, the monitoring becomes continuous, and the response capability becomes more sophisticated.

This isn't a journey we promise on day one. It's a conversation we have with customers who've completed Level 1, are seeing real maturity in their day to day operations, and have a regulatory or operational reason to go further.

Examples of what Level 2-3 might include:

Continuous security monitoring and alerting
Threat hunting across endpoints and identity
Application Control with WDAC at full enforcement
Privileged Access Management (PAM)
Security automation and incident response (SOAR)
Hardened logging and centralised audit trails

Every Level 2-3 engagement is scoped, costed, and timed against your specific environment. We don't sell it as a package because it isn't one.

How we tell you what's coming

So your team always
knows what to expect.

Every action in your plan gets one of three colours. You'll see them in your scorecards, in your reports, and in conversation with your analyst. No guessing what's next.

Green · Quiet

Background work. We do it. Your team won't notice. No staff disruption, no behaviour change, no learning curve.

Amber · Approval needed

Approval and comms. You sign off. Brief staff message needed. Light disruption — usually a one off prompt or setting change.

Red · Real change

Real change. Workflows shift, training needed, some friction. Proper change management with your leadership and your team.

48
Level 1 controls
4
Delivery phases
12–24
Typical months to complete
1
Named analyst, every step
Level 1 · The Four Phases

How we deliver
Essential Eight Level 1.

Once Level 0 is solid, this is how the 48 Essential Eight Level 1 controls get rolled out. Each phase builds on the one before. Most of the work is quiet — green and amber together account for the majority of controls. The red ones get planned carefully, communicated clearly, and never sprung on your team.

PHASE 01
Switch on
the easy ones
Typically 3 to 9 months
The technical controls Microsoft already gives you. We turn them on, configure them properly, and start collecting the data we'll need for the rest of the work. Background scanning, Microsoft Autopatch, Internet Explorer removal, MFA tightening.
Mostly background work
Tools we use: Microsoft Intune, Windows Autopatch, Defender for Business, Microsoft Authenticator
PHASE 02
Tighten
the bolts
Typically 3 to 12 months
Macro hardening, browser lockdown, customer facing MFA, separate admin accounts. Your team will see one prompt or setting change and that's it. Most of these are well trodden — clear comms, clean rollout.
Approval + comms
Tools we use: Conditional Access, Defender Attack Surface Reduction, Microsoft Edge hardening, Entra ID
PHASE 03
Do the
heavy lifting
Typically 3 to 18 months
The work that takes longer because it has to be done carefully. Application Control (AppLocker / WDAC) runs in audit mode for weeks before we ever switch to enforce. Backup gets stood up properly. Admin accounts get fully isolated. Old Windows devices get replaced.
Real change
Tools we use: AppLocker, Microsoft 365 Backup, Privileged Access Workstations, Intune device replacement
PHASE 04
Cross the
finish line
Typically 3 to 9 months
The final step. AppLocker switches from audit to enforce mode. We run the disaster recovery test on backups so we know the safety net actually works. The framework is now Level 1 complete and we sit down with your board.
Approval + comms
Tools we use: AppLocker enforce, Microsoft 365 Backup restore test, Sign-off documentation

This is a partnership.

Some decisions are ours — configuration, deployment, ongoing monitoring. Some decisions are yours — what's an approved application list, who needs admin access, what counts as sensitive data. Your analyst guides you through the choices that belong to you. There are no surprises and there's no blame attribution. We work it out together.

Things to budget for

Costs beyond your subscription.

  • Microsoft 365 BackupConsumption based pricing. We walk you through it before anything is turned on.
  • Privileged access hardwareOne to three admin users may need a dedicated environment in Phase 3. Could be a device, a VM, or a privileged access workstation.
  • Defender Vulnerability ManagementA paid Microsoft add on. Only needed if your environment requires daily server scanning.
Australian Regulatory Context

Built around
what regulators expect.

Our framework aligns to the standards Australian regulators reference when they assess cyber posture. Your scorecard tells the story to your board, your funders, and — if it ever comes to it — the regulator.

ACSC Essential Eight NIST CSF CIS Controls v8 Australian Privacy Principles OAIC Notifiable Data Breach scheme ACNC awareness for NFPs POPIA (South Africa)

This framework supports your obligations under the Australian Privacy Principles and the Notifiable Data Breach scheme, and helps not for profits demonstrate cyber maturity to funders and the ACNC. It is not a substitute for your own privacy and governance obligations.

For US and international customers. The Essential Eight maps directly to NIST Cybersecurity Framework functions (Identify, Protect, Detect, Respond, Recover) and CIS Controls v8. If you operate under HIPAA, SOC 2, ISO 27001, or other international frameworks, your analyst will walk you through the equivalent control mapping for your sector.

Plain English Glossary

The terms
worth knowing.

A few terms come up across the framework. Here they are, in plain English, so when your analyst uses them you're not flying blind.

Audit mode
A safety phase. The control logs what would happen, but doesn't actually block anything yet. Lets us refine before going live.
Enforce mode
The live phase. The control is now active. Anything not approved gets blocked.
Application Control (AppLocker / WDAC)
Only software your organisation has approved is allowed to run. Everything else is blocked.
Conditional Access
Microsoft's policy engine for who can sign in, from where, on what device. The brain behind modern MFA.
Privileged access workstation
A locked down device an admin uses for admin work only. Keeps admin tasks separate from email and browsing.
GDAP
Granular Delegated Admin Privileges. The way Microsoft Partners safely access your environment with your approval and full visibility.

Ready to start
the journey?

Book a free Cyber Maturity Assessment. We'll walk you through where you are, what's possible, and what your first 90 days could look like. No jargon. No pressure. We'll be in touch within one business day.

Book a free assessment → Download the brochure

Microsoft Partner · Essential Eight aligned · NIST CSF · CIS Controls v8 · ABN 81 683 346 116 · Proudly Australian

Cyber security built around people. Australian based, plain English, and practical help you can call on.

If something feels off, check it with Red Flagg™. That's what we're here for.

© 2026 Red Flagg Pty Ltd · ABN 81 683 346 116 · This document forms part of the Red Flagg™ service description. Specific commercial terms sit in your service agreement.